Lenovo Fingerprint Manager has a terrible security flaw

By JC Torres/Jan. 29, 2018 8:05 pm EST

We may receive a commission on purchases made from links.

Intel may have set the tone of 2018 with its Meltdown and Spectre double whammy. While security flaws are, of course, nothing new, but now a lot more attention, including from mainstream media, is being given to them. Lenovo's newest problem might not be as damning as Intel's but it might equally be for those owning certain ThinkPad PCs. According to the manufacturer's bulletin, its fingerprint manager software has a bug that could potentially give hackers easy access to those computers, even when user credentials are encrypted.

Fingerprint scanners on PCs, especially laptops, have predated smartphones but it was only recently that they became more common. With Windows 10, Microsoft introduced its Windows Hello biometric security framework that embraces face recognition and fingerprint scanning among other authentication methods. Prior to Windows 10, however, OEMs had to use their own solutions, which is probably what indirectly led to this situation.

Lenovo has rolled out its own biometric system, the Lenovo Fingerprint Manager Pro. Unfortunately, for a security system, it is apparently terribly insecure. According to Lenovo's bulletin, which is rated with a High Severity level, the login credentials and fingerprint data are indeed encrypted but using a weak algorithm. To add insult to injury, it also has a hard-coded password. Anyone who finds out that password will be able to decrypt that data and gain access to the PC.

The slightly good news is that this only affects ThinkPads running on versions older than Windows 10. Unfortunately, there are still quite a few of those machines running Windows 8.1, Windows 8, or even Windows 7. Lenovo lists these specific models as potentially running the affected version of its fingerprint manager software:

• ThinkPad L560

• ThinkPad P40 Yoga, P50s

• ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560

• ThinkPad W540, W541, W550s

• ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)

• ThinkPad X240, X240s, X250, X260

• ThinkPad Yoga 14 (20FY), Yoga 460

• ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z

• ThinkStation E32, P300, P500, P700, P900

Owners of these PCs are urged to update to the latest version 8.01.87 of the Lenovo Fingerprint Manager Pro. If they haven't upgraded to Windows 10 yet, that is.

SOURCE: Lenovo